Home / malwarePDF  

Win32/Crilock


First posted on 02 June 2014.
Source: Microsoft

Aliases :

There are no other names known for Win32/Crilock.

Explanation :

Threat behavior

Installation

Variants of Crilock can drop copies of itself into one of the following folders on your PC:

  • %APPDATA%
  • %APPDATA%\Roaming
  • %ProgramData%
  • %windir%


We have seen variants use the following names, but they could use others:

  • \msunet.exe
  • %APPDATA%\Roaming \{Random GUID}.exe, for example %APPDATA%\Roaming\{1400BEBE-1503-1236-2800-383F060F181A}.exe
  • %APPDATA% \ zkauhxfbmpubhr.exe
  • %windir% \qmizatox.exe


Variants set themselves to run each time you start your PC by changing the registry. We have seen them use the following changes:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
Sets value: "Userinit"
With data: "\userinit.exe,,\msunet.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "MSUpdate"
With data: "\msunet.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "*MSUpdate"
With data: "\msunet.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "CryptoLocker"
With data: "%APPDATA%\Roaming\{random GUID}.exe"

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "", for example "oromezaz"
With data: "%windir%\", for example "%windir%\qmizatox.exe"

They can also change to registry to allow themselves to spread via removable drives by forcing Autorun to be enabled:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDriveTypeAutoRun"
With data: "145"

Spreads via...

Removable drives

Worm variants of the family drop copies of themselves in all removable drives with the name setup.exe. It might also overwrite any EXE file found in these removable drives. See the Worm:MSIL/Crilock.A description for more information on these variants.

Payload

Prevents you from accessing your desktop

As part of its payload, some variants of the family display a full-screen webpage that covers all other windows, rendering your PC unusable. The warning asks you to pay a fee in order to receive a randomly-generated key that will "unlock" your files and regain access to your PC.

The ransomware displays a countdown clock counting down from 72 hours, and gives you the following payment options to pay the "fine":

  • Bitcoin
  • cashU
  • MoneyPak
  • paysafecard
  • Ukash


Note that the key that "unlocks" your PC is unique; you will not be able to use anyone else's key.

The following are some examples of the lock screen warning messages that Crilock displays:







Depending on the variant of Crilock, you may be requested to pay the fee or see a message about the fee such as the following:





Encrypts files

The ransomware encrypts files on your PC that it finds when searching fixed and remote drives, to prevent you accessing them. In the wild, the malware has been observed using RSA and AES algorithms for this purpose.

It also drops an .html or .txt file that contain instructions on how to pay the fine in all folders where it encrypts files.

Crilock.A encrypts files it finds in fixed and remote drives with the following extensions:

  • .3fr
  • .accdb
  • .ai
  • .arw
  • .bay
  • .cdr
  • .cer
  • .cr2
  • .crt
  • .crw
  • .dbf
  • .dcr
  • .der
  • .dng
  • .doc
  • .docm
  • .docx
  • .dwg
  • .dxf
  • .dxg
  • .eps
  • .erf
  • img_*.jpg
  • .indd
  • .jpe
  • .jpg
  • .kdc
  • .mdb
  • .mdf
  • .mef
  • .mp3
  • .mp4
  • .mrw
  • .nef
  • .nrw
  • .odb
  • .odc
  • .odm
  • .odp
  • .ods
  • .odt
  • .orf
  • .p12
  • .p7b
  • .p7c
  • .pdd
  • .pef
  • .pem
  • .pfx
  • .ppt
  • .pptm
  • .pptx
  • .psd
  • .pst
  • .ptx
  • .r3d
  • .raf
  • .raw
  • .rtf
  • .rw2
  • .rwl
  • .sr2
  • .srf
  • .srw
  • .wb2
  • .wpd
  • .wps
  • .x3f
  • .xlk
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx


Some variants will avoid encrypting files with the following extensions or in folders that have the following names:



Extensions:

  • avi
  • bat
  • bmp
  • chm
  • cmd
  • dll
  • exe
  • gif
  • ico
  • inf
  • ini
  • lnk
  • log
  • manifest
  • mp4
  • msi
  • png
  • scr
  • sys
  • tmp
  • txt
  • wav
Folder paths:
  • %APPDATA%
  • %LOCALAPPDATA%
  • %ProgramData%
  • %ProgramFiles%
  • %ProgramW6432%
  • $recycle.bin
  • %SystemRoot%
  • %TEMP%
  • Folders that contain the name cache


Contacts servers

In the wild, we've observed the ransomware contacting a server, possibly for the following reasons:

  • To download the key it uses to encrypt files
  • To update the malware version
  • To disable the shutdown of your PC
  • To issue a denial of service attack
  • To get information about your PC


We have seen variants of Crilock try to contact the following servers:

  • 184.164.136.134
  • blcusrwmwsce.ru
  • cqatmhkbawod.co.uk
  • controlaccess.ru
  • duhjqmogmwfc.com
  • eafikccupbrb.biz
  • nhbgpmbhfclx.biz
  • omyfjcovigxw.org
  • pqgunhsbugov.info
  • qvethwgpxkbu.net
  • strathmorej.byethost3.com
  • strathmorej.coolpage.biz
  • vajgqwtrpgjn.ru
  • wfhfkmhgskvm.co.uk
  • wpkhlcnfhldx.org
  • xjouorllfkml.com
  • xuigfrbtkppw.info
  • yypvjwfywpgv.net




Analysis by Marianne Mallen

SymptomsThe following could indicate that you have this threat on your PC:
  • You can't open files and you're asked to pay a ransom to retrieve them

Last update 02 June 2014

 

TOP

Malware :